refactor cert_store verify

baresip · Jun 5, 2024 · b1f3961 · b1f3961
1 parent 7e6d526
commit b1f3961
Showing 1 changed file with 3 additions and 16 deletions.
diff --git a/src/tls/openssl/tls.c b/src/tls/openssl/tls.c
@@ -49,8 +49,6 @@ struct tls {
 	bool verify_client;  /**< Enable SIP TLS client verification   */
 	struct session_reuse reuse;
 	struct list certs;   /**< Certificates for SNI selection       */
-	char *capath;
-	char *cafile;
 };
 
 /**
@@ -129,8 +127,6 @@ static void destructor(void *data)
 	hash_flush(tls->reuse.ht_sessions);
 	mem_deref(tls->reuse.ht_sessions);
 	mem_deref(tls->pass);
-	mem_deref(tls->capath);
-	mem_deref(tls->cafile);
 	list_flush(&tls->certs);
 }
 
@@ -380,12 +376,6 @@ int tls_add_cafile_path(struct tls *tls, const char *cafile,
 		return ENOTDIR;
 	}
 
-	tls->cafile = mem_deref(tls->cafile);
-	tls->capath = mem_deref(tls->capath);
-
-	str_dup(&tls->cafile, cafile);
-	str_dup(&tls->capath, capath);
-
 	/* Load the CAs we trust */
 	if (!(SSL_CTX_load_verify_locations(tls->ctx, cafile, capath))) {
 
@@ -2006,12 +1996,9 @@ int tls_add_certf(struct tls *tls, const char *certf, const char *host)
 	if (err)
 		goto err;
 
-	/* Load the CAs we trust */
-	if (!(SSL_CTX_load_verify_locations(uc->ctx, tls->cafile,
-					    tls->capath))) {
-		err = ENOENT;
-		goto err;
-	}
+	X509_STORE *ca = SSL_CTX_get_cert_store(tls->ctx);
+	X509_STORE_up_ref(ca);
+	SSL_CTX_set_cert_store(uc->ctx, ca);
 
 	list_append(&tls->certs, &uc->le, uc);
 	if (list_count(&tls->certs) == 1)